What Is Gramm-Leach-Bliley Act?
The Gramm-Leach-Bliley Act (also called the Financial Services Modernization Act) is the federal framework for how financial institutions collect, share, and protect non-public personal information (NPI). GLBA applies broadly — not just to banks but to any business 'significantly engaged' in financial activities: mortgage lenders, credit reporting bureaus (alongside FCRA), insurers, securities firms, loan servicers, debt collectors, tax preparers, and real-estate settlement services. GLBA is built on three pillars: the Privacy Rule (transparency via annual notices), the Opt-Out Rule (consumer control over NPI sharing with non-affiliated third parties), and the Safeguards Rule (administrative, technical, and physical security programs). The 2023 Safeguards Rule amendments added a 30-day incident-reporting requirement.
At a glance
- Full name
- Gramm-Leach-Bliley Act
- Short code
- GLBA
- Enacted
- 1999
- Last major update
- Safeguards Rule 2023 amendments (incident reporting)
- Jurisdiction
- United States (federal)
- Private right of action
- No
- Primary enforcer
- FTC, CFPB, federal banking regulators (OCC, FDIC, NCUA, Federal Reserve), state insurance regulators
- Statutory citation
- 15 U.S.C. §§ 6801-6809
Scope — who GLBA covers
Protected data
Consumer rights & protections
Right to receive a privacy notice at the start of a customer relationship and annually (in some cases, only when material changes occur, post-FAST Act 2015)
Right to opt out of the sharing of NPI with non-affiliated third parties (with limited exceptions)
Right to reasonable security protecting your NPI (via the Safeguards Rule)
Right to receive notice of security incidents affecting your data (per 2023 Safeguards Rule amendments — 500+ consumer threshold)
Right to consumer protections against pretexting — obtaining financial info through false pretenses is criminal under GLBA
Notable features
GLBA's opt-out is one of only a handful of federal privacy opt-outs. The 2023 Safeguards Rule amendments introduced the first federal incident-reporting requirement for financial institutions (modeled on state breach-notification laws). GLBA famously exempts information shared with CRAs under FCRA — meaning a bank's data sharing with Experian/Equifax/TransUnion is governed by FCRA, not GLBA.
Enforcement & penalties
Enforcing agency: FTC, CFPB, federal banking regulators (OCC, FDIC, NCUA, Federal Reserve), state insurance regulators
Penalties: Civil penalties up to $100,000 per violation for institutions; $10,000 per violation for officers and directors. Criminal pretexting penalties include fines up to $500,000 and up to 5 years imprisonment. Safeguards Rule violations routinely produce FTC consent decrees with multi-year compliance monitoring.
Private right of action: GLBA does not grant a private right of action — enforcement is exclusive to the FTC, CFPB, and prudential regulators. Consumers harmed by a GLBA violation generally must rely on state common-law claims (breach of contract, negligence) or state privacy laws to sue directly.
Landmark enforcement cases
FTC v. Ascension Data & Analytics
2020The FTC settled with a mortgage analytics firm for failing to ensure that a service provider adequately secured personal information of tens of thousands of mortgage holders — an early enforcement of the Safeguards Rule's service-provider oversight obligations.
Official source →Relevance to data brokers
GLBA is the governing law when a data broker acquires financial NPI from banks, credit unions, mortgage brokers, or insurers. Brokers that aggregate financial data are often covered indirectly through GLBA's service-provider obligations — and financial institutions that share NPI must give consumers opt-out notices first. If your financial data reached a broker via a bank's third-party sharing program, GLBA opt-out at the source institution is the correct remediation path.
Exercise your rights
Remove your data from 300+ brokers for $5
OfflistMe drafts opt-out emails citing GLBA and other applicable laws. Citations included. You send from your own inbox. No account, no ID upload.
Start for $5 →FAQ
Does GLBA apply to fintechs and payment apps?+
Yes, if they are 'significantly engaged' in financial activities — lending, money transmission, payment processing, or offering accounts that function like deposit accounts. PayPal, Cash App, Venmo, and Chime are generally considered GLBA financial institutions for their core financial services.
How do I opt out of GLBA sharing?+
Each financial institution must provide an opt-out method in its annual privacy notice — typically a checkbox, toll-free number, or URL. The opt-out applies to sharing with non-affiliated third parties and must remain effective until revoked. Note: the opt-out does NOT cover sharing with affiliates (other companies under common ownership) or service providers performing the institution's own functions.
Does GLBA override state privacy laws?+
No — GLBA has no express preemption of stronger state laws. A state like California (CCPA) can impose additional requirements on GLBA-covered institutions for the non-GLBA portions of their business (e.g., marketing data that is not NPI). Financial institutions must comply with both.
Official sources & citations
Other federal privacy laws
Federal privacy law is sectoral — each statute covers a specific data type or industry. Here are the other federal regimes to know alongside GLBA: